W32/Stubbot-B

Please follow the instructions for removing worms.

W32/Stubbot-B is an IRC backdoor Trojan with worm functionality.

W32/Stubbot-B connects to a preconfigured IRC server and opens a backdoor allowing unauthorised remote access to the infected computer via an IRC network. If the appropriate commands are received from a remote user, W32/Stubbot-B can spread to the startup folders of remote network shares protected by weak passwords, to computers that have a backdoor opened by the MyDoom worm on port 3127, via P2P file-sharing networks and via email.

W32/Stubbot-B runs in the background waiting for commands from a remote intruder. The worm can be instructed to download and run files, log keypresses, start a webserver to aid distribution during spreading, download bot plugins, delete files, start a remote command shell, send itself to other IRC users and send itself as an email attachment.

W32/Stubbot-B copies itself to the Windows system folder as gearsec.exe and creates the following registry entries to run itself on system restart or logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows
<Windows system>\gearsec.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe gearsec.exe

The worm can copy itself to the shared folders of the P2P networking programs eDonkey2000, Morpheus, Xolox, Kazaa, Shareaza and LimeWire with the following filenames:

DivX.exe
Nero_StartSmart.exe
WinDVD.exe
PowerDVD.exe
porno_passchecker.exe
keylog_hacktool.exe
FlashFXP.exe
Winamp.exe
MSN.exe
ICQ2005.EXE

Email attachments sent by the worm can have the following filenames:

Test.exe
Test.pif
Details.pif
Decrypt_mail.pif
Message.pif
Instructions-howtofix.txt.pif
Confirm.exe.pif
Protected.Storage.Encrypted.XOR.34h.pif